What were you trying to do that didn't work?

IPA should be able to handle DNs with the attribute type expressed as
OID, per https://www.rfc-editor.org/rfc/rfc4514#section-3:

      distinguishedName = [ relativeDistinguishedName
          *( COMMA relativeDistinguishedName ) ]
      relativeDistinguishedName = attributeTypeAndValue
          *( PLUS attributeTypeAndValue )
      attributeTypeAndValue = attributeType EQUALS attributeValue
      attributeType = descr / numericoid  # <<<===
      attributeValue = string / hexstring

It should accept the DN and treat the [string representation of] the
value as opaque data.

What is the impact of this issue to you?

Failures to add certificates with valid, but unknown OIDs in DNs.

Please provide the package NVR for which the bug is seen:

ipa-server-4.12.2-14.el9_6.5.x86_64

How reproducible is this bug?:

Always

Steps to reproduce

1. sign the CSR with CA that has unknown to IPA OID in subject DN
2. try to install it either during two-step IPA installation, or via `ipa-cacert-manage renew`
3. Installation fails with error
4. [error] InvalidSyntax: ipaCaIssuerDN: value #0 invalid per syntax: Invalid syntax.

Expected results

installation succeeds

Actual results